> ----- Original Message -----
> From: "Raphael Luta" <[EMAIL PROTECTED]>
> To: "JetSpeed" <[EMAIL PROTECTED]>
> Sent: Tuesday, November 21, 2000 12:13 PM
> Subject: Re: Possible bugs with isLocal and "file://"
>
>
> Stephan Hesmer wrote:
> >
> > There is possibly a new bug in Jetspeed, due to the changes to
EngineContext
> > and JetspeedServlet.
> >
> > The new getResource function in EngineContext returns an url to a
resource
> > on the server, which is normally local. For example:
> > It returns
"file:D:\jakarta-tomcat\webapps\ROOT/content/psml/default.psml"
> > for "/content/psml/default.psml"
> >
>
> Some bugs are corrected in the upcoming EngineContext service, but I think
> most of your issues will stay...
>
> > This causes several problems:
> > * the RSS portlet is not running anymore (in my case the Jetspeed
portlet),
> > and
>
> The Jetspeed portlet is not RSS, it's jetspeed content. This works on my
> machine so I believe this is already fixed in the EngineContext service.
I meant the "Jetspeed" portlet, which is based on the RSSPortlet. The
JetspeedContent is also working on my machine. Did I miss something here?
<portlet-entry type="abstract" name="RSS">
<classname>org.apache.jetspeed.portal.portlets.RSSPortlet</classname>
<parameter name="itemDisplayed" value="10" type="int"/>
<parameter name="stylesheet" value="/content/xsl/rss.xsl"/>
</portlet-entry>
<portlet-entry type="instance" name="JetspeedContent">
<classname>org.apache.jetspeed.portal.portlets.JetspeedContent</classname>
<parameter name="provider-name" value="jetspeed"/>
</portlet-entry>
<portlet-entry type="ref" parent="RSS" name="Jetspeed">
<url>/content/xml/rss/Jetspeed.rss</url>
</portlet-entry>
> > * the url is not considered as local from Jetspeed (Jetspeed it looking
for
> > "file://")
> >
> > While changing and testing it on my PC, I discovered several code
pieces,
> > which do not make sense or I simply do not understand:
> > * PortletFactory
> > //make sure that no one tries to instantiate a portlet with a
file
> > URL
> > if ( pc.getURL() != null && pc.getURL().indexOf( "file://" ) ==
0 )
> > {
> > String message = "Local URLs not served through HTTP to
prevent
> > security holes: " + pc.getURL();
> > Log.error( message );
> > throw new PortletException( message );
> > }
> > ok, before modifying EngineContext a local URL was represented by
> > "http://localhost:port/..." . But now, it is something like
"file:D:/....".
> > So, do we have luck that we are asking here for "file://" ? Surely, we
can
> > not rely on that information, because other servers than Tomcat could
return
> > "file://".
> > On the other side, we will get a problem when fixing this code... nearly
> > every portlet is rejected and therefore not displayed
> >
>
> IMO, we should accept any URL in the PortletFactory and not filter out
'file:'
> URLs.
> Why ? because every URL the PortletFactory sees is "trusted" since it
> can only be registered by the administrator or the feed daemon, users
never
> specify themselves their URLs.
>
> I think it's safe to always trust the administrator configured file since
if
> someone unauthorized can modify this file, it's most likely he can modify
the
> system in other ways that would create unsecured access to local files.
> However the Feed Daemon should filter which URLs it accepts to prevent
bogus
> feeds from creating security issues.
>
>
> > * JetspeedDiskCache
> > //attempt to see if the user didn't specify a URL if they didn't
> > then
> > //assume it is localhost with the servlet port
> > if ( DiskCacheUtils.isLocal( url ) &&
> > url.indexOf("file://") == -1 ) {
> > Why do we ask here for isLocal and forbid "file://" ? Someone who knows
this
> > code better than me?
> >
> > * DiskCacheUtils
> > In this file you can find the isLocal function, which asks for
"file://"....
> > do I have to say anymore?
> >
>
> Nope. I've tried to understand to JetspeedDiskCache system when working on
> the URLManager and pretty quickly became very confused about the way it
works.
> Santiago seems to have got it hawever since I saw a lot of patches done by
> him in these files.
> I'm just waiting for his clean-up of this component...
>
> >
> > I think, that Jetspeed needs to recognize this type of URL (file:D:/...)
as
> > local, and therefore we have to change the files I mentioned above. Does
> > anybody know who wrote or modified the files or who is working on the
> > isLocal stuff?
> >
>
> +1 for the change.
> I think Santiago or Kevin are the one who can help you on this subject.
>
> --
> Rapha�l Luta - [EMAIL PROTECTED]
>
>
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://marc.theaimsgroup.com/?l=jetspeed>
Problems?: [EMAIL PROTECTED]
